The Federal House Energy and Commerce Committee released a draft of their new legislation, the American Privacy Rights Act (the “Act”) earlier this month.
The Act intends to establish a national data privacy and security standard that gives Americans the right to control their personal information. Despite being in the early stages of the legislative process, the Act has received high praise from both sides of the aisle and business executives.
KingSpry’s Employment Law Chair, Avery E. Smith, Esq., details the American Privacy Rights Act and how it may impact companies upon enactment.
Purpose
The Act signifies Congress’ bipartisan efforts to establish a comprehensive data privacy law that enforces mechanisms to hold violators accountable. According to the Federal House Energy and Commerce Committee Chairs, the Act is a landmark piece of legislation that will balance issues related to data privacy and Americans’ right to control their data.
Who Will Be Affected?
The Act applies to “covered entities,” which are defined as entities that determine the purpose and means of collecting, processing, retaining, or transferring covered data. Covered data is defined by the Act as information that identifies, is linked, or is reasonably linkable to an individual or a device.
Exempt Businesses
Businesses that do not engage in the selling of users’ personal information are exempt from the Act. Such businesses include small businesses, governments, and entities working on behalf of government.
To meet the classification of a “small business” under the Act, an entity must meet following criteria:
- Less than $40 million in annual revenue;
- Annually processes the covered data of 200,000 individuals or less (with exceptions relating to payment processing); and
- Does not transfer covered data to a third party in exchange for revenue or anything of value.
What Will the Act Achieve?
Uniform Rights: In its current form, the Act establishes uniform national data privacy rights for all Americans. This puts Americans in control of their personal data and grants them the ability to prevent the transfer or selling of their data. Additionally, companies will be required to permit individuals access to correct, delete, and export their data.
Enforcement: The Act grants Americans the ability to enforce their data privacy rights by suing bad actors and recovering damages. The Act further prohibits companies from enforcing mandatory arbitration, should an individual sue them. The Federal Trade Commission (FTC) will also have authority to enforce the Act.
Protection: The Act aims to protect Americans’ Civil Rights by preventing companies from using personal information to discriminate against individuals. Annual reviews of algorithms will be required to ensure that companies do not put individuals at risk of discrimination.
Transparency: The Act requires covered entities to have publicly available privacy policies.
Accountability: The Act mandates stronger data security standards, and compels company executives to take responsibility for ensuring compliance.
Effective Date
The Act is yet to be passed by both chambers of Congress. However, due to significant bipartisan support, it is likely that the Act will become law before the current legislative session ends. Upon enactment, the Act will take effect in 180 days.
Moving Forward
Although the Act is still in the early stages of the legislative process, executives should be proactive in reviewing the draft and determine what implications their company may face.
KingSpry’s Employment Law Team, chaired by Avery E. Smith, and Business Law Team, chaired by Matthew T. Tranter, are prepared to assist businesses in answering questions regarding the proposed American Privacy Rights Act. Should you have questions regarding the impact it may have on your company, contact your legal counsel or an attorney at KingSpry.
